Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Encryption Blog

The Chicken or the Egg -- Why You Should Decrypt Before Upgrading to OS X Lion

Created: 20 Jul 2011 • Updated: 05 Nov 2012 • 14 comments
Kelvin_Kwan's picture
+6 6 Votes
Login to vote

Now before I begin “The Chicken or the Egg” portion of the blog, I want to address an issue that many people are asking or wondering.  “Why must I first decrypt before upgrading to Lion?”  Well there are many reasons.  However, one of the biggest reasons is that in Lion, Apple has added Recovery Partition Support.  This Recovery Partition allows you to perform repairs and recovery to your Mac without having to find the DVD that came with your Mac.  This is important, because whenever your system is encrypted, it is NOT advisable to create, resize, or move partitions.  This is regardless if you’re running OS X, Windows, or Linux.  Bad things (e.g.  Data integrity issues) tend to happen when encrypted and you do partition modifications.  So, Symantec has stated that you must first decrypt, and uninstall PGP Desktop or SEE Full Disk Edition (FDE) before upgrading to Lion.  

Now back to The Chicken or the Egg…   

So a lot of people are probably wondering what happens if you upgrade to OS X 10.7 (Lion) while still encrypted with either PGP Desktop or SEE Full Disk Encryption (FDE) for Mac.  Our QA team here at Symantec has been busily testing PGP Desktop and SEE FDE against various Lion Preview Versions of OS X 10.7.  Some of these tests include PGP Desktop and SEE FDE installed on OSX 10.6.x and upgrading to 10.7 while encrypted, and a clean 10.7 install and then installing and encrypting with PGP Desktop and SEE FDE.  There is a large matrix of test scenarios that need to be thoroughly vetted to ensure the best possible user experience.  This is why Symantec has recommended that users DO NOT upgrade to OS X 10.7 yet.  Please allow us more time to test and adjust the code as necessary.

I’m sure some of you are curious to wonder what we have seen thus far in our testing (and may be afraid to try it on your own systems).  Well you’re in luck; I’ve had some conversations with QA to see what some of the behaviors they have been observing during testing.    Here are a couple of the more interesting results we have seen in our testing.

  1. 1. If the Mac is already encrypted by PGP Desktop, or SEE FDE, and you attempt to update to Lion, the Lion installer will fail.  This is because Lion is unable to find a valid disk to install on.  Thus, you can’t install Lion at all.  (This is actually a good thing since it prevents you from possible data integrity issues with an accidental install/upgrade of Lion.)
  2. 2. The Mac is not encrypted, but PGP Desktop or SEE FDE is running.  You would be able to upgrade to Lion through either the App Store or the Lion installer DVD.  Upon the first reboot after the Lion upgrade, the user will be prompted with an “Install Java Runtime in order to run PGP Desktop” message.  If you choose not to install Java runtime, PGP Desktop or SEE FDE will not run properly.  If you choose to install Java runtime, then PGP Desktop and SEE FDE will run properly.  (Note:  I have not heard what happens if you try to encrypt at this point.  I would not recommend finding out on your own either.)

Please note that tests are being run against various versions of Lion Preview.  The behavior has been known to change between different versions of Lion Preview.  Until we have a Gold version, testing cannot be 100% completed, and thus an approved version of PGP Desktop or SEE FDE for Macs would not be immediately available.  Believe me, we want to have a version of PGP Desktop and SEE FDE approved for Lion as soon as possible as well.  

So, please be patient with us as we test and address any compatibility issues we encounter during this process.  After all, I too have selfish reasons for an approved version.  I want to install Lion on my encrypted MacBook as well.

Comments 14 CommentsJump to latest comment

isopepper's picture

Thanks for the status update! Look forward to full support.

+4
Login to vote
Kelvin_Kwan's picture

Hey Everyone,
I just added a link in the blog posting above.  The link goes to a Knowledge Base article related to upgrading your Mac to Lion with either PGP Desktop 10.x or Symantec Endpoint Encryption Full Disk 8.x installed and encrypted.

If you've read thru the blog already and don't want to search for the link, you can also go here:  http://www.symantec.com/docs/TECH165159

Regards,
-kelvin

0
Login to vote
jkuhnert's picture

I'm not asking if "it works" from a customer perspective, just if it ~has~ worked at least once as far as symantec knows internally ?

I'm a developer, I swear I won't come back in fury whining about broken os if it doesn't work. Just want to know if it has worked. I'm guessing it has, don't think the filesystem changed enough to break if decrypted before upgrade.

You can even just reply directly to my account email, or give a sly wink or any hint at all that I can intuit means it has worked somewhere. =)

-2
Login to vote
Sarah Mays's picture

in PGP DT 10.1.2 (build 9 through build 50) have added code to PGP desktop that prevents you from launching PGP desktop and encrypting a hard drive.

You can still encrypt with the PGPWDE command... it seems to work w/o an issue.. but who knows what will break/not break. or is it simply the issue of PGP DT always encrypts all partitions (at least through pgp desktop.. you can partition encrypt with pgpwde) and they need to add code so the recovery partition is not automatically encrypted?

+2
Login to vote
Kelvin_Kwan's picture

I'm no engineer, but I suspect code will be added to deal with the recovery partition.  PGP ran into this problem when recovery partitions became the "rage" for the WinTel vendors.  

Remember, encrypting/running PGP DT 10.1.2 with Lion is at your own risk.  

We like every other software vendor out there are working our hardest to address any incompatibility issues due to the Lion upgrade.  

Thanks for your patience.

Regards,
-kelvin

-2
Login to vote
JonLundy's picture

I have encrypted my drive after installing Lion.. 

from my experiance it *encrypts* and "Bad Things" don't happen. i have found two issues. 

1) The PGP Desktop software will not open stating that it is not supported. But the drive encryption did work. I have the enterprise version for my work laptop and it automatically starts up even though the desktop app gave the error and quit. 

2) My computer will not restore after it sleeps. It *will* restore if it just recently went to sleep but if it has been a while after it will not respond and pressing the power button 2 times will cause it to boot. I think i can get around this with changing the sleep state mode. 

cheers. 

+2
Login to vote
JB23zz's picture

I think we all appreciate the updated information, but I have a comment about what seems to me to be the slow pace of Lion development.  It's been mentioned that Lion-ready versions will be availble "in a few months."  Your testing procedures are geared I assume to the 10.7.0 release, but "in a few months" Apple will most likely have released a .1 or a .2 version.  Since the point upgrades (at least two so far) are causing major problems, I'm not sure Symantec will ever catch up to any given current point release.  

If you release a solid 10.7.0 upgrade in the fall, what about all of us that have moved on to 10.7.1 or 10.7.2 in the mean time?  We'll be right back to where we are now.

-2
Login to vote
Kelvin_Kwan's picture

Correct, we are testing against the current 10.7.0 GA release.  When the .z release comes out from Apple, we hope to be 100% compatible out of the box.  Most software companies use a .z release as a bug fix release.  Therefore we do not anticipate any issues.

In our defense, the last 10.6.8 release, the issue was already addressed.  The problem was that some users were not running the latest version of PGP Desktop.  If they were running the latest version, then they would not have run into any problems.  I'm not making excuses, but just want to point this out.

The previous release, which I believe to be 10.6.5, yeah, we were surprised by that as well.  Long story short was that all of our testing against the Preview code indicated no issues.  When the GA came out, we then saw the problem.  Believe me, we learned from that incident.  We have since built in more safeguards to protect the boot.efi file.  

For those that are looking for some background history, here's a post I have on 10.6.8 which also links to the 10.6.5 incident as well.  

Regards,
-kelvin

-2
Login to vote
JB23zz's picture

Kelvin,

You're right, obviously, about the .8 problems; I was mistaken to consider that both point release problems were due to the same reason,  but as many people have pointed out elsewhere, it's now VERY difficult for users to determine if they are in fact running a good version when new OS X versions are released, but I don't want to rehash that point.

For a reason I can't remember, I coincidently did a complete reinstall when 10.6.5 came out, and I'd already reinstalled WDE and reencrypted the disc  using my existing WDEversion  before I realized that I'd have had big problems if I had simply upgraded to 10.6.5 without a clean install. I was lucky.

I was lulled and did get nailed with the .8 upgrade however.  In any event, I've learned that in the case of WDE it is absolutely critical to look before you leap.  Now that I've installed Lion, I obviously am not running WDE.  But I'll reinstall it after any given WDE upgrade only after I'm absolutely positive by reading it here, that the WDE version is certified for my point release of OS X.

0
Login to vote
Oster-ITSO's picture

Kelvin,

One thing that concerns me with regard to PGP WDE and Lion is the following:

http://www.macnews.com/2011/07/12/lion-security-up...

While none of us really knows what this means yet, it seems that the times that PGP/Symantec has been caught by surprise has been when Apple has made changes w/out releasing them to developers. Do you have a sense for the additional risk factor in light of automatic background software updates?

+2
Login to vote
yyzguy's picture

Hasn't anyone noticed the obvious?

You can get rid of PGP WDE and use FileVault 2, if you all you want is FDE.

It's true, PGP is more than just WDE (if you pay more), but I think most people just want to protect their disk contents, especially if using a laptop which could easily be stolen.

Why put up with Symantec's in ability to send an email to warn people of the problems of updating too quickly, when you can have the FREE built-in Filevault 2?

Interestingly enough, they seem to be able to send an email when it's time to renew your support agreement and then follow up with a human calling on the telephone, but they don't seem to be able to make much of an effort to tell you when PGP has an update....you need to find it yourself, if you remember to do it (Yes, after being burned once or twice, most of us will remember to check.)

Anyway, I decrypted my drive, uninstalled PGP, ran the built-in Apple Disk Utilities (which, btw never worked with PGP WDE), installed Lion, encrypted with FileVault 2 and couldn't be happier.

Just wish I had never spent the money for PGP WDE......although I did get a full year's use.   But it's no longer relevent.

It's clear they are doing whatever they can to keep the PGP WDE customers, but the truth is, there's not much need for their WDE anymore.

-2
Login to vote
nnim's picture

Hi,

Just wondering what the current state is, since PGP Desktop 10.2 is not working proper on Lion (and we have a dozens of client to migrate). If there is no solution during the next days, we will move to GnuPG, Truecrypt and FileVault (event the fist one is not that convenient). It is also a pain, that there is no auto-update / auto-info about updates in PGP Desktop 10.1. Sorry to write clear words, but it is the truth...

Regards,
raphael

-2
Login to vote
Symc_TomC's picture

nnim - hang tight a couple more days.  You should see a posting real soon regarding the upcoming release.

Thanks

Tommy Cooper
Regional Product Manager (RPM)

Information Security Group | Encryption
Symantec Corporation

0
Login to vote
Kelvin_Kwan's picture

FYI everybody, PGP Whole Disk Encryption 10.2 and Symantec Endpoint Encryption 8.2 MP1 has just been released.  

These updated versions can now support Mac OSX Lion.

You can find the KB article here:  http://www.symantec.com/business/support/index?page=content&id=TECH165159

You can grab the latest version from here:  https://fileconnect.symantec.com

Thanks!

EDIT:  changed the KB article link

0
Login to vote